Posted
by
timothy
on Tuesday January 20, 2015 @11:36AM
from the well-you-look-guilty-from-here dept.

SonicSpike writes The investigative arm of the Department of Justice is attempting to short-circuit the legal checks of the Fourth Amendment by requesting a change in the Federal Rules of Criminal Procedure. These procedural rules dictate how law enforcement agencies must conduct criminal prosecutions, from investigation to trial. Any deviations from the rules can have serious consequences, including dismissal of a case. The specific rule the FBI is targeting outlines the terms for obtaining a search warrant. It's called Federal Rule 41(b), and the requested change would allow law enforcement to obtain a warrant to search electronic data without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network. It would also allow nonspecific search warrants where computers have been intentionally damaged (such as through botnets, but also through common malware and viruses) and are in five or more separate federal judicial districts. Furthermore, the provision would allow investigators to seize electronically stored information regardless of whether that information is stored inside or outside the court's jurisdiction.

If the FBI starts to attack Tor and VPN users, those users are going to fight back. If they are not in the US the FBI might not be able to stop them doing it either.

All this kind of thing does is make the US a more legitimate target for cyber attacks. The NSA and GCHQ are already fair game for hacking because they try to illegally hack you, so it's just self defence.

I wouldn't be surprised if people put up honeypots on Tor just to mess with 'em, and log all of the output over serial or something so that even if they get in, they can't purge the logs of their attempts.

I wouldn't be surprised if people put up honeypots on Tor just to mess with 'em, and log all of the output over serial or something so that even if they get in, they can't purge the logs of their attempts.

Search warrants are still subject to constitutional requirements of reason and due process; this is a procedural rule independent of that.

It will allow a judge to issue the warrant even if the FBI or police are not sure what judicial district it's happening in. It's important to let a magistrate judge approve a warrant on that basis, because the current rule 41(b) does not provide for it except in terrorism cases. So if you have someone selling hard drugs online, for example, but the government can't tell whether they are located inside the United States or not, this provides a way for them to get a warrant to search.

Now that the FBI is handling my corporate penetration testing for me, how to I contact the NSA to arrange for online backup/restoral and disaster recovery? What better use of federal corporate taxes!;-)

It is actually pretty easy to set up a fully transparent logging proxy. Just have it masquerade as an Ethernet switch, use a smart-switch that copies everything to a sniffing port, or, the really secure option, sniff passively using a classical dumb hub that is not smart enough to be hacked. I have several hubs here for Fast Ethernet that still work fine and I am not the only one. On the cheap, a physical SLIRP connection can be listened to with two serial inputs and that is totally undetectable, except for

The European Parliament's recent report on Echelon, written by British journalist Duncan Campbell, has sparked angry accusations from continental Europe that U.S. intelligence is stealing advanced technology from European companies so that we can -- get this -- give it to American companies and help them compete. My European friends, get real. True, in a handful of areas European technology surpasses American, but, to say this as gently as I can, the number of such areas is very, very, very small. Most European technology just isn't worth our stealing.

Why, then, have we spied on you? The answer is quite apparent from the Campbell report -- in the discussion of the only two cases in which European companies have allegedly been targets of American secret intelligence collection. Of Thomson-CSF, the report says: "The company was alleged to have bribed members of the Brazilian government selection panel." Of Airbus, it says that we found that "Airbus agents were offering bribes to a Saudi official." These facts are inevitably left out of European press reports.

That's right, my continental friends, we have spied on you because you bribe. Your companies' products are often more costly, less technically advanced or both, than your American competitors'. As a result you bribe a lot. So complicit are your governments that in several European countries bribes still are tax-deductible.

When we have caught you at it, you might be interested, we haven't said a word to the U.S. companies in the competition. Instead we go to the government you're bribing and tell its officials that we don't take kindly to such corruption. They often respond by giving the most meritorious bid (sometimes American, sometimes not) all or part of the contract. This upsets you, and sometimes creates recriminations between your bribers and the other country's bribees, and this occasionally becomes a public scandal....

You can't really separate those things. The simple fact of securing information is that once it's out you have zero control over where it goes.

As a company, the only outside people who should get access to your information are your lawyers and entities that have signed an NDA. Unless GCHQ is going to sign an NDA, a competent Airbus managment can not tolerate snooping.

They would care because they don't want the FBI hacking into their employee's computers while connected to the company servers via VPN. This "caring" might be due to caring about their employees (rare but it does exist in corporations), caring about their own computer security (much more likely), or worry over a FBI VPN hack uncovering corporate wrong doing (definitely possible). Companies that rely on VPN will use their lobbying might to fight this and there are some big companies that rely on VPN. I don't see this as gaining traction.

Then again, if the government screams "TERRORISM" or "PROTECT THE CHILDREN" loud and often enough, they've proven they can get almost anything passed. It's time someone changed the country's root passwords!

Capitalism is amoral. By that I mean it has no "right or wrong" other than a drive towards efficient market. People who make judgements have morals (or lack thereof) . We don't live in a Capitalist marketplace. There are way too many intrusions into free enterprise by government to be capitalist, we are just a socialist, corporatist, capitalist hybrid.

And of course, we have plenty of people who take a short term approach to market and cash out long term goals for short term profits, the long term result are

I imagine corporations will fight back legally if/when their employees start getting hacked by the FBI.

Why would a corporation care?

One word: Liability.

Corporations would very much care because of liability concerns - both domestically to the US and foreign to other countries. It's already becoming enough of an issue that companies are taking to hosting data regionally instead of centrally just from a legal liability perspective.

For instance, suppose there was conversation going on regarding what to disclose to the US government over the operations of a foreign subsidiary between the execs and their lawyers? Regardless of the topic, matter-at-hand, or end result that is protected conversation regardless of medium, and the existence of the VPN would mean they expected it to be carried out in private.

My corporation would care as we access data that's considered controlled goods, and can be fined heavily and lose a good part of our business if the data gets accessed by anyone else. I'm not sure the State Department is going to say that's ok, since it was the FBI, because the VPN is then known to not be secure.

I think thats the point. Once they start fighting back, you can now openly declare war, and then have everyone who even remotely looks suspicious arrested.

Read, the war on nerds continues

Realisticly what can we do?

How about this, until this happy horse shit stops, lets all boycott working for the federal government. Take a job somewhere else. Unexpectedly find reasons to be somewhere else when they ask for help. Play internet detective and debunk all their theories on digital warfare.

Someone else can wage digital war on North Korea, Syria, Russia, and China. Someone else can keep state secrets safe. Just pass this around until we get a complete boycott on working for Uncle Sam.

Lets also continue to heckle recruiters and inform the n00bs to stay away from these people.

Yeah, it's not like the high-functioning sociopaths that seem so well-represented in the programmer population would be at all interested in the six-figure salaries offered by the secret government agencies with access to the most advanced and expensive computing resources on the planet, and may, with the blessing of the government, go crack and exploit all the things. I'm sure the "strike" will be very effective.

Actually the sociopaths tend to go into management, not programming. From my own experience I would say that programmers are very rarely in the psychopathy spectrum, more typically going toward the autism spectrum. I was curious as to what value psychopaths had in an evolutionary sense (both individually and in society), and I learned that they can be valuable. In an experiment with spiders, an equivalent to psychopathy was indicated as a group survival trait, as without it nobody defended the group agai

Ever heard of that treasonous document that starts out "When in the Course of human events it becomes necessary for one people to dissolve the political bands which have connected them with another and to assume among the powers of the earth, the separate and equal station to which the Laws of Nature and of Nature's God entitle them, a decent respect to the opinions of mankind requires that they should declare the causes which impel them to the separation."?

It goes on to say: "Prudence, indeed, will dictate that Governments long established should not be changed for light and transient causes; and accordingly all experience hath shewn that mankind are more disposed to suffer, while evils are sufferable than to right themselves by abolishing the forms to which they are accustomed. But when a long train of abuses and usurpations, pursuing invariably the same Object evinces a design to reduce them under absolute Despotism, it is their right, it is their duty, to throw off such Government, and to provide new Guards for their future security."

The signers of the Declaration of Independence and the people who fought for the Colonies independence were committing treason.

Indeed, the 2nd Amendment self-state purpose is to allow the citizens to preserve their freedom from a despotic federal government that was being formed by the same document. Rather, the government being formed could become despotic and need to be thrown off, and the the 2nd provides the basis for that.

This is pretty clear from various Founder's explanations, e.g. Alexander Hamliton "[I]f circumstances should at any time oblige the government to form an army of any magnitude[, ] that army can never be formidable to the liberties of the people while there is a large body of citizens, little, if at all, inferior to them in discipline and the use of arms, who stand ready to defend their own rights and those of their fellow-citizens."

The Framers had *just* completed an armed (and treasonous) insurrection of their own, and were keenly aware of the fact that any government they might form could (and probably would) become despotic. The 2nd at least put a floor under the people's ability to fight back against that potential.

First off, the Declaration of Independence was a call to arms, not a legally binding precedent. Only the Constitution can be used as the source of what is considered legal. Second, Using the second amendment to rationalize treason is absurd. The second amendment and the treason clauses are both within the framework of the US government. If you are planning on using the Declaration of Independence as precedent, you are talking about overthrowing the US government, which means throwing out the Constitution an

... against all enemies foreign AND DOMESTIC. You can throw out the corrupted implementation and keep the founding document quite easily. Maybe minus a couple hundred of the latter amendments. (minus 3 or so good ones: equal rights for women and race, Miranda etc.)

Hint: pay attention to the second amendment. It gives you certain rights to conduct certain activities.

If one person takes up arms against the US government he's a lone wolf, a crazy, an incident.
If one hundred people do, they're an extremist organisation (under a certain threshold of skin darkness) or a terrorist organisation (over said threshold). If a hundred thousand people do this, they are a political movement, and they may as well use political means, because organising a hundred thousand people will have required a lot of politics anyway, and it is better to just continue.

only a tiny fraction of computer users are talented enough to get a job. The ones that are really good with computers tend to be more aware of rights. Awareness would make this work, but in history, strikes, slowdowns, etc... have been very effective.

The feds already have a hard time, many geeks are already more aware, intellegent and active than the typical person, and more prone to action as well. It really would not take much to make a point. Many of them are also involved activities that disqualify th

This is just Phase 1. Once this is in place then in Phase 2 if you ever use any service that uses https then you must be trying to hide something and so they can take all of your data. Same for any other use of encryption, you might be a criminal or terrorist hiding something. And if you ever send anything through the mail in a sealed envelope, well you must be a criminal trying to hide stuff.

If the FBI starts to attack Tor and VPN users, those users are going to fight back.

Both TFA and the summary wildly misrepresent what this is all about. The FBI is NOT asking for permission to attack anyone that happens to be using Tor or a VPN. What they are asking for is the ability to get a warrant to search a particular Tor/VPN node, that appears to be engaging in criminal activity, without knowing who the owner is or where the system is physically located.

Yes, it is troubling, and we should be having a rational discussion about that. Instead we have a lot of hysterical rants based on the wildly misleading headline, summary, and article, that imply that the FBI wants to "legally hack" anyone connected to TOR or a VPN. That is not at all what this is about. By trying to manufacture outrage about a phony issue, the author is obfuscating the real issue.

Or if you know somebody who has used TOR or a VPN. Or if you know what TOR or VPN is. Or if you might know somebody who might possibly know someone else who could know what TOR or VPN is. In fact, the FBI just wants to hack you.

My computer is not so well shielded against attacks. And you might want to take a good look at that "terror_cells_US.docx" file. Yes, you may have to activate macros, it has a bit of active content.

What? Me hack the FBI? I swear, I never even thought about it. I had this proof of concept for how to infest even well guarded VM-secured analysis centers to the point of taking them offline or making them my bitch on my PC but I have no idea how it got there...

Good luck with that. I don't know if you watched Skyfall one too many times, but all of those centers are disconnected from the internet and run on their own network, precisely for this reason.

Fairly close. Where those networks need to cross over they are protected by what the military had labeled the 10 digit interface. Some poor SOB has to read what is on screen A and type it in on screen B.

So the Postal service is still the most secure legally protected method for sending data. Just mail CDs.

The USPS scans all mail [nytimes.com]
The USPS monitors mail [washingtontimes.com] on behalf of the feds without any authorization.
What's to stop them from opening it without a warrant? Sorry but the whole system is controlled and abused by your favorite government officials.

Sidenote: CDs were replaced by DVDs and now Blu Rays. Just fyi if you want to send more than 700mb of crap.

Boy, I can imagine all of the companies that have employees connect through VPNs to do confidential work will love this. I work for an internationally-based corporation that has me on a VPN before I can even BEGIN to work and I would imagine they'll be pretty pissed off if the FBI is legally hacking into their private systems.

This is such bullshit. When are we going to get some lawmakers who actually understand the fucking technology?

When are we going to get some lawmakers who actually understand the fucking technology?

They understand the technology well enough. It's the Constitution they're having problems understanding.

They understand the Constitution well enough. They just don't care about it all that much. After all TERRORISTS and PROTECT THE CHILDREN (and the power grabs that these words enable them to achieve) are much more important to them than a 200+ year old piece of paper.

...just a few few days ago? How do you like him now? That's right, he's still smearing turds all over the Constitution, and having him gone will be one of the best things about Obama's terms finally ending.

You win some, you lose some. Mr. Holder is a lot like just about everybody else in the government. They do a lot of good and a lot of evil, and it's all mixed up together. When they say or do good things you give them credit. When they say and do evil things you lambaste them. Or would you rather not run your life by ethics and logic?

Technically [xkcd.com] this is the FBI, so you should be pissed off at Comey, not Holder. Comey is officially Holder's subordinate at the DoJ, though I'm not sure how much the FBI chief really answers for.

And you won't have to wait so long for Holder's departure; he announced his resignation months ago and Obama already tapped his replacement [wikipedia.org].

ALL major online email providers (google mail, yahoo, microsoft, etc.) and all major company networks work internally by using a VPN between the various locations that those companies have around the country/world... => they are going to be hacked... and this will raise an enormous shitstorm.

That horse [imgur.com] has already left the barn [imgur.com], they even poked fun at Google's internal setup with a doodle [imgur.com]. There was no enormous shitstorm. Google responded by encrypting their internal traffic (or announcing that they did, anyway) and life went on. Millions upon millions of Americans simply don't care, and millions more actually want the government reading everyone's email because they think it protects us from them ay-rab turrists. Until the surveillance apparatus somehow fucks up football or The Voice or Pawn Stars, nobody's going to give a shit.

For reasons I've never been entirely clear on, a lot of commercial proxy servers market themselves as "VPN providers", I'm guessing they offer connectivity via one of the common VPN protocols, but they resemble your office VPN the same way a legitimate business resembles a "Legitimate business".

So in order to get around isps bitching about too much netflix traffic someone uses a vpn. They may very well use one of these "VPN providers" that you claim exist to carry "legitimate traffic."

Usage of a VPN for non-business purposes doesn't automatically mean criminal activity. If the FBI knows a VPN provider is being marketed as a service for hiding criminal activity there is nothing stopping them from getting a warrant now - loosening the restrictions is just a power grab.

"context" don't make me laugh. There is no application of context to modern law. All sides take advantage. The words are stretched and the intents are ignored until the law can practically mean anything the AG wants it to mean that day. "VPN" already has plenty of interpretations in the tech world once the legal world gets hold of it, it is certain to be interpreted as just about anything that isn't a direct essentially the most direct path between hosts available using a plaintext protocol.

If you think otherwise you are crazy, or haven't been paying attention.

When I had a contract with a local telco I would have to use a VPN in order to get onto a network with a test switch. The problem with I had was that I lost my access to the Internet with that connection. What I ended up doing was running the VPN in a virtual machine. My software ran in the virtual machine connecting to the test switch without a problem but the rest of my computer still had access to the Internet.

You could do the same and only your business stuff would be sent over the VPN. Of course th

Having the government collect and spend more money is an empowerment. It can empower good, and it can empower evil. You might want to consider that the problem is not the government itself. The government is made up of people. That is like saying the problem is people.

There are problems only the government can address, and you won't make any progress with those problems by strangling the government.

The problem is people, that is why we set a government up in the first place; primarily to protect ourselves from each other.

So yes government is the problem. It never can be anything better than a necessary evil. It should be restricted, strangled, starved, and otherwise impeded to the point it can only barely achieve its goal of protecting people from each other, with minimal efficacy. To allow it to get any bigger or more capable than that as we have done not only invites abuse but assures it.

Are we beginning to see that the problem is the government itself, and not the particular party in power?

If you've read so much Rand that you believe that keeping a mining company from dumping lead and arsenic into your drinking water is just as evil as illegal spying and assassinations, maybe. Cuz gubbmit.

NSA and others do it and will do it no matter what the law says, while their dime eyed lawyers continue telling that they are defending our liberties. FBI was also doing it, but now that the discussion is public, there are same voices, probably in-house lawyers, who foresee a case in the future where the litigation is lost if FBI will continue lying using the paralel construction, like they (and all others) always did.

That bit about "particularly describing the place to be searched, and the persons or things to be seized" isn't just a matter of criminal procedure. It actually comes from the constitution. Really -- check the restroom at headquarters, it's right there on the toilet paper.

They seem to be asking for all of this, but I wonder which subset of these they actually expect to get. If they ask for 10 unreasonable things but only get one, will we celebrate, or mourn the loss of one more civil right to privacy?

It's the same thing we always hear all the time. The lines that are an attempt to fool the general public. It goes "We need "x" because we can't do our job, and if we can't do our job your "(family, kids, wife, money, future, home, the earth)" are all in danger, so do it for them!"

I agree. The pathetic thing is that they keep trying to frame these requests as "we really want to do our job well but can't because of X." All I hear is "Doing our job with X in place is too haaard!" in the same whiny voice a kid might use if asked to take out the garbage instead of playing video games. These attempts aren't "we can't do our job" requests, but attempts to change the system - which was put in place to prevent abuses - because they're just too lazy to work within the system the way they'v

Sure, but this should be pretty easy for them to get. I've seen headlines from the Silk Road case that the judge and jury are confused by the (and I quote) "mumbo jumbo" about Tor, and basically have no understanding of what it is.

The specific rule the FBI is targeting outlines the terms for obtaining a search warrant. It's called Federal Rule 41(b), and the requested change would allow law enforcement to obtain a warrant to search electronic data without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network.

Everything my employer does is via a VPN. This little change would be carte blanche for virtually all corporate communications within the United States. Even the company's internal networks would be laid bare if they're remotely accessible. The opportunities for abuse are staggering.

The first arrest that happens due to this, will result in appeals that will eventually get this rule overturned as unconstitutional.

This is no different than saying your neighbor committed a crime so we want to search your house as well due to proximity to him. A decent lawyer will be able to make the argument that just because you are on a TOR or a VPN does not mean you are doing something illegal.

TOR was created as a method to allow people in oppressed countries to speak freely, it is funny that the country that funded this is now going to be one of those oppressed countries.

...without providing any specific details as long as the target computer location has been hidden through a technical tool like Tor or a virtual private network. It would also allow nonspecific search warrants...

Text of the 4th amendment to the constitution:

The right of the people to be secure in their persons, houses, papers, and effects,[a] against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

The article is light on details, but if it is accurate, this looks like a straightforward violation of the 4th amendment. The devil is always in the details though. The article may be an oversimplification.

Articles like this often get written because the author doesn't really understand the law, and rather than really trying to understand what's going on they just guess. The claims made in this article are so wildly off-base, however, that it makes me question whether the author is just trolling people.

Contrary to what the article suggests, Federal Criminal Rule 41(b) does not have a thing to do with what evidence law enforcement agencies are required to show to get a warrant, nor does it authorize the FBI (or anyone else) to get any particular type of warrant. Rule 41(b) is about VENUE; e.g., if you've already got enough evidence to get a search warrant, what judge (in what federal District) is the judge that you are supposed to present that evidence to?

The basic rule it sets out is that, when you want a warrant, you ask a judge located within the District where the person/property you want to search is located. There are exceptions to that basic rule, much like any other rule, because it's not always a simple matter of "X is located here." Sometimes things are located across several different Districts, sometimes they're mobile and can be easily moved to another District, etc. This is why there are currently 5 subsections to 41(b), each dealing with slightly different semi-unusual factual scenarios. At the end of the day, each exception is there for a very simple reason: to clearly and unambiguously tell federal law enforcement agencies how to identify the judge they are supposed to go to if they want to get a search warrant.

What the DOJ is asking for is a scenario not currently covered by Rule 41(b). That being...what happens if you are dealing with someone you know to have committed a crime, you have enough evidence to get a search warrant, but the perpetrator of the crime is using some sort of technological means (like encryption, IP masking, etc.) to prevent you from finding the exact physical location of whatever you want to search? As of right now, it is not clear who the right judge would be to issue that warrant. The only thing the proposal would do is say that, if you can't identify the physical location of the computer to be searched (and therefore do not know which federal District it's located in), then you can go get your warrant from a judge in the District where the target of the crime was located.

Example: I'm an evil h@xx3r, and I hack some computers at the GooglePlex. I have masked my IP address, so the FBI does not know exactly where I'm at. Under current Rule 41(b), it's not clear who the right judge would be to try to get a warrant from. Under "new" Rule 41(b), they can go to a judge in California since that's where the GooglePlex is located.

That's literally the only thing this proposal would change. It says nothing about VPNs or TOR networks. It does not give the FBI (or any other law enforcement agency) the authority to hack your computer or your phone whenever they want. It doesn't even grant them the authority to do that with a warrant, because they already have the ability to do that with a warrant. It also doesn't say anything about how much evidence they have to present to get the warrant, because Rule 41(b) has nothing to do with that. The standards for search warrants are exactly the same as they have been for years; this proposal would only clarify who the right judge is to issue the warrant.

I don't know a whole heck of a lot about the "FEE" is, but if this article is representative of their work and/or legal abilities then color me unimpressed.

There are a host of federal regulations regarding maintaining the privacy of data that necessitate the use of corporate VPNs. Were the FBI to hack a corporate VPN and expose regulated data to the internet or the public via documents in an open hearing, the circus that would ensue as the Attorney General would try to explain how the FBI is exempt from all of those regs would be both entertaining and horrific.

At least 50 U.S. law enforcement agencies have secretly equipped their officers with radar devices that allow them to effectively peer through the walls of houses to see whether anyone is inside, a practice raising new concerns about the extent of government surveillance.

Those agencies, including the FBI and the U.S. Marshals Service, began deploying the radar systems more than two years ago with little notice to the courts and no public disclosure of when or how they would be used. The technology raises legal and privacy issues because the U.S. Supreme Court has said officers generally cannot use high-tech sensors to tell them about the inside of a person's house without first obtaining a search warrant.

The radars work like finely tuned motion detectors, using radio waves to zero in on movements as slight as human breathing from a distance of more than 50 feet. They can detect whether anyone is inside of a house, where they are and whether they are moving.

Current and former federal officials say the information is critical for keeping officers safe if they need to storm buildings or rescue hostages. But privacy advocates and judges have nonetheless expressed concern about the circumstances in which law enforcement agencies may be using the radars — and the fact that they have so far done so without public scrutiny.

To be honest, I'm fine with that one. It's only for scanning buildings before entering to serve already-valid warrants. Using it constitutes a search in and of itself and may not be done without a warrant. They're not driving down the streets scanning everybody's homes.

Not that they wouldn't want to. They totally would. But the Supremes already put a stop to that with the ruling about the infrared cameras being used to spot grow houses.

If the cops are already going to bust down my door (remember, they alrea

It's only for scanning buildings before entering to serve already-valid warrants.

And what proof do you have of that? What assurances do you have they don't abuse this?

Sorry, but assuming law enforcement gives a shit about the law, or will follow it, is now such a naive and moronic statement as to be bordering on delusional. Increasingly, law enforcement wants to get around the law and oversight, and just do whatever the hell they want.

Which means you more or less have to assume they're going to misuse every tool in the book, and treat them like children.

And a valid warrant? Don't make me fucking laugh. How many times have law enforcement broken into the wrong damned home and killed some poor schmuck who wasn't doing anything other than defending his home from masked assailants?

I'm long past the point where I trust the actions, motivations, or ethics of the fucking police.

Because apparently they either don't know the law, or don't care.

Which is precisely why people don't trust them, and are growing hostile to them. If collectively the police don't give a shit about our rights, WTF would we give them more power with less oversight.

Sorry, but this is bad policing by agencies who find following the law too inconvenient.